Passwords on a Phone

Presentation

Almost all Android apps from major retailers store your password on the phone, which is dangerous and unnecessary. And they don't even use the Android KeyStore; they just use custom encryption schemes that generate a key in predictable ways, so passwords are easily recoverable. This is “fake encryption” – the data appears to be encrypted but in fact is not actually protected from attackers.

The Safeway app is typical: it encrypts passwords with AES, generating the key from other values that are stored on the phone. I notified Safeway of this in April, 2017, but they never fixed it.

I will present results of my tests of many top retailers, and demonstrate how to steal passwords from them. I will also list a few (very few) companies who actually protect their customers' passwords properly.

The purpose of this talk is to raise awareness of the poor quality of retail Android apps, and to encourage developers into improving their products.

The Speaker(s)

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at CodeCamp, DEFCON, BayThreat, LayerOne, and Toorcon, and taught classes and seminars at many other schools and teaching conferences.
He has a Ph.D. and a CISSP and a lot of other certifications, and a lot of computer and cables and firewalls and stuff.